From Secunia: A vulnerability has been reported in mpg123, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a signedness error in the "store_id3_text()" function in libmpg123/id3.c. This can be exploited to trigger an out-of-bounds memory access and potentially execute arbitrary code via a specially crafted ID3 tag. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions prior to 1.7.2.
Loud-making people: Please bump!
in cvs
Arches, please test and mark stable: =media-sound/mpg123-1.7.2 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
ppc and ppc64 done
Stable for HPPA.
Stable on alpha.
amd64 stayble
sparc stable
ia64/x86 stable
GLSA request filed.
CVE-2009-1301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1301): Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information.
GLSA 200904-15